Industries / Oilpatch Services
Cybersecurity for oilpatch services in northern Alberta.
Service rigs, hot-shot trucking, well-site services, environmental and remediation, lease equipment rental. Built around how a service company actually operates — chasing prequalification packages, juggling contract crews, and trying to keep the office paperwork in order between turnarounds.
The threat landscape in oilpatch services
The single most important shift for oilpatch service companies in the last two years has not been a new attack vector — it has been the contract requirement. Oil majors now embed cybersecurity attestations in prequalification packages. Service-company audits include questions about MFA enforcement, EDR deployment, backup configuration, vendor risk management, and incident response procedures. Companies that cannot answer these questions credibly are getting cut from approved vendor lists. The threat is no longer just “you get breached”. It is “you lose the contract”.
Beyond that, the attack patterns mirror the rest of the SMB landscape with a few sector-specific twists. Business email compromise targets payables — fuel, tubular goods, chemical suppliers — where invoice values are large and payment cycles are predictable. Site-trailer networks are often flat, unsegmented, and sit on whichever cellular or Starlink link is available; one compromised laptop on a remote lease can quietly reach the office tenant when the user comes home.
Contract-worker access is the under-recognized issue. Seasonal labour cycles mean people come on and off the platform every few weeks. Shared logins are common. Offboarding is irregular. We have seen environments where former hands still had access to the office Microsoft 365 tenant a year after their last shift — sometimes because of an oversight, sometimes because the only login into a vendor portal was shared across the crew and no one wanted to break it.
Ransomware against oilpatch services tends to hit during turnaround or shoulder season when the office staff is thin and the operational tempo is high. The cost of being unable to invoice, submit AER data, or respond to a customer request for the duration of an incident is rarely below five figures and often well into six.
Why oilpatch services are targeted
Three structural reasons. First, service companies sit one or two hops up the supply chain from major operators, which makes them attractive as a pivot — a compromised service-company tenant can be used to phish into the customer organization. Second, payables are high-value and routine, which is the ideal cover for banking-change fraud. Third, the operational tempo and seasonal workforce make consistent access control genuinely difficult, and attackers know which corners get cut when the rig is moving.
What we do for oilpatch services clients
We start with the documentation question — what your largest customer is actually going to ask on the next prequalification round — and work backwards from there. Managed EDR (Huntress) on every office and field endpoint. Microsoft 365 baseline with enforced MFA, conditional access, legacy authentication blocked, mailbox auditing enabled. Cloud backup separate from M365 retention. These are the controls oil-major questionnaires actually ask about, and they are the same controls that defend against the underlying threats.
For site-trailer connectivity we design the network so the trailer LAN is segmented from the office tenant, EDR runs through intermittent links, and a compromised tablet on a remote lease does not become a quiet foothold into your billing system. We standardize on per-person M365 accounts for contract workers, build the offboarding workflow into your safety paperwork, and audit access on a defined cadence so dormant accounts get caught before they become an entry point.
For AER data submission and regulatory recordkeeping, we make sure the generating systems are backed up to immutable storage with retention that outlasts your audit risk window. We do not write your environmental program or your operations procedures. We do make sure that a ransomware event does not also become a regulatory incident because the records are gone.
Tier recommendations for oilpatch services
Most service companies land at Tier 2 because the office tenant, the field devices, the contractor onboarding, and the prequalification paperwork all benefit from one provider holding the whole picture. Companies actively pursuing major-operator contracts often start with the $2,500 readiness assessment first to map the gap.
Cyber Essentials
$95/seat/mo
For service-company office groups with an existing IT contractor or in-house generalist. Good fit when you need the cybersecurity controls and documentation to satisfy a single oil-major prequalification questionnaire but already have day-to-day IT handled.
See full tier details →Cyber Essentials + Managed IT
$175/seat/mo
Where most oilpatch service companies land. One provider for security, the office M365 tenant, the site-trailer connectivity, and the seasonal contractor onboarding cycle. Help desk that responds during turnaround when downtime is most expensive.
See full tier details →Cyber Premium
$275/seat/mo
For larger service companies (15+ office staff) or operators chasing prequalification with multiple oil majors at once. Adds BCDR, vCISO support for the documentation effort, annual tabletop, and cyber-insurance liaison. Sometimes mandated by carrier renewal.
See full tier details →Common questions from oilpatch services clients
Our oil-major customer just sent us a cybersecurity questionnaire. Can you help us fill it out?
Yes. The Cyber Insurance Readiness Assessment ($2,500 fixed) maps directly to the same questions oil majors are now asking on prequalification — MFA enforcement, EDR coverage, backup configuration, incident response procedures, vendor management. We produce a written gap analysis and a prioritized roadmap so you know exactly what to remediate before signing on. If you convert to a Tier 2+ retainer within 90 days, the assessment fee credits against your first three months.
How serious are the oil majors about this? Will they actually walk away?
Serious. Over the past two years, prequalification packages for service work have moved from a checkbox tick to a real technical questionnaire — and in some cases an audit. Smaller service companies are getting cut from approved vendor lists for failing to meet basic controls. The cost of compliance is now meaningfully lower than the cost of being de-listed from a major operator account.
How do you handle site-trailer connectivity? Our lease sites are off-grid.
Cellular, Starlink, or microwave. Whatever the site supports. We design the network layer so the trailer LAN is properly segmented from anything sensitive, MFA is enforced on the office tenant regardless of which connection the user is on, and EDR works through intermittent links. The goal is that a compromised tablet on a remote site does not become a foothold into your office tenant.
We hire seasonal contract workers. How do you handle access for them?
Per-person Microsoft 365 accounts with conditional access and a documented offboarding process — not shared logins. We build the onboarding and offboarding workflow with your safety or HR person so accounts get disabled the day a contractor's hitch ends, not three months later when someone notices. Shared logins are the single biggest access-control failure in oilpatch services and they are also the easiest one to fix.
Does AER data submission factor in?
Yes. Volumetric reporting, environmental data submission, and regulatory recordkeeping all need integrity controls — both for compliance and for your defence if something is ever questioned. We make sure the systems generating that data are backed up to immutable storage, the access logs are retained, and a ransomware event does not destroy the records you need to substantiate a submission.
Have a prequalification questionnaire to fill out?
Free 5-minute Risk Report shows you where you stand. Or get in touch about the $2,500 Cyber Insurance Readiness Assessment — the same controls that satisfy carriers also satisfy oil majors.